HTTP URL Load Balancing Configuration

Answered Question
Jul 9th, 2010
User Badges:

Hi,


We have an ACE 4710 and we need to configure it for HTTP URL Load Balancing between two server farms.

For example we need url (https://www.test.com) to load balance to Server Farm 1 and another url (https://www.test.com/test1) to load

balance to Server Farm 2.

Can you give me an example of the match statements that needs to be configured?


class-map type http load balance match-all SF1

match http url http://www.test.com


class-map type http load balance match-all SF2

match http url http://www.test.com/test1


Are these statements correct?


Thanks in advance,

Theofilos Sakoulias

Yes you have to modify the header for the site you are using.


Also the ACE is terminating the HTTPS session between the client and ACE. When it sends traffic to the servers it will be HTTP and therefore the solution I gave you would be fine as the SSL Termination happens before the Layer 7 class-maps are checked and applied.


Something like....


match layer 4 class-map for HTTPS traffic and IP address

terminate SSL connection

go to policy-map

check layer 7 class-map statement for a first-match

loadbalance to serverfarm when match is found



I would also recommend using SSL-rewrite to handle any HTTP 30x codes that may be generated by the website. Just to be sure.


Dave.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

I would do it this way.


class-map type http loadbalance match-all SF1
  2 match http header Host header-value "www.test.com"


class-map type http loadbalance match-all SF2
  2 match http header Host header-value "www.test.com"
  3 match http url /test1


policy-map type loadbalance first-match Loadbalance-pm
  class SF2
    serverfarm ServerFarm2
  class SF1
    serverfarm ServerFarm1
  class class-default
    serverfarm DefaultServerFarm


Just remember to have the most specific rule first in the policy-map and use match-all statements. If you put the SF1 class first then anything else under it will not be processed.


Regards,

Dave.

tsakoulias Fri, 07/09/2010 - 02:57
User Badges:

Hi David,


Is there any difference if i use https instead of http?

I have already configured ssl proxy service under the policy map type load balance.

Furthermore, do we need to use urlrewrite?


Below you can find our current config :


switch/Admin# sh run
Generating configuration....



resource-class Sticky
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum equal-to-min


boot system image:c4710ace-mz.A3_2_5.bin


interface gigabitEthernet 1/1
  description Management
  switchport access vlan 1000
  no shutdown
interface gigabitEthernet 1/2
  description Servers
  switchport access vlan 990
  no shutdown
interface gigabitEthernet 1/3
  description Clients
  switchport access vlan 991
  no shutdown
interface gigabitEthernet 1/4
  description FT Port
  ft-port vlan 999
  no shutdown



crypto chaingroup Chain_Group_2010
  cert CERT
  cert Intermediate
context Admin
  member Sticky




access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any




probe http HTTP_Probe
  description HTTP_Probe
  port 8080
  interval 15
  passdetect interval 60
  request method get url \
  expect status 0 999
  open 1
probe icmp ICMP_Probe
  description ICMP_Probe
  interval 15
  passdetect interval 60



rserver host Serv3
  description Serv3
  ip address 172.16.3.113
  probe ICMP_Probe
  probe HTTP_Probe
  inservice
rserver host Serv4
  description Serv4
  ip address 172.16.3.114
  probe ICMP_Probe
  probe HTTP_Probe
  inservice
rserver host Serv7
  description Serv7
  ip address 172.16.3.117
  probe ICMP_Probe
  probe HTTP_Probe
  inservice


action-list type modify http urlrewrite
  ssl url rewrite location "my\.test\.com.*"


serverfarm host Server_Farm_Pilot
  description Server_Farm_Pilot
  failaction purge
  rserver Serv3 8080
    probe ICMP_Probe
    probe HTTP_Probe
    inservice
  rserver Serv4 8080
    probe ICMP_Probe
    probe HTTP_Probe
    inservice
serverfarm host Server_Farm_2
  description Server_Farm_2
  failaction purge
  probe HTTP_Probe
  probe ICMP_Probe
  rserver Serv7 8080
    probe ICMP_Probe
    probe HTTP_Probe
    inservice


ssl-proxy service Proxy_Service_2010
  key KEY
  cert CERT
  chaingroup Chain_Group_2010


sticky http-cookie COOKIE Sticky_Group
  replicate sticky
  serverfarm Server_Farm_Pilot




class-map match-all VIP_HTTP
  2 match virtual-address 172.16.1.210 tcp eq www
class-map match-all Virtual_Server_Pilot
  2 match virtual-address 172.16.1.210 tcp eq https
class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any


policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit


policy-map type loadbalance first-match VIP_HTTP-l7slb
  class class-default
    sticky-serverfarm Sticky_Group
policy-map type loadbalance first-match Virtual_Server_Pilot-l7slb
  class class-default
    sticky-serverfarm Sticky_Group
    action urlrewrite


policy-map multi-match int991
  class Virtual_Server_Pilot
    loadbalance vip inservice
    loadbalance policy Virtual_Server_Pilot-l7slb
    loadbalance vip icmp-reply
    ssl-proxy server Proxy_Service_2010
  class VIP_HTTP
    loadbalance vip inservice
    loadbalance policy VIP_HTTP-l7slb


interface vlan 990
  description Servers
  ip address 172.16.3.201 255.255.255.0
  alias 172.16.3.203 255.255.255.0
  peer ip address 172.16.3.202 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 991
  description Clients
  ip address 172.16.1.201 255.255.255.0
  alias 172.16.1.203 255.255.255.0
  peer ip address 172.16.1.202 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int991
  no shutdown
interface vlan 1000
  description Management
  ip address 10.10.10.201 255.255.255.0
  alias 10.10.10.203 255.255.255.0
  peer ip address 10.10.10.202 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown


ft interface vlan 999
  ip address 1.1.1.1 255.255.255.0
  peer ip address 1.1.1.2 255.255.255.0
  no shutdown


ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 999
ft group 1
  peer 1
  priority 110
  associate-context Admin
  inservice
 
ft track host TRACK_HOST1
  track-host 172.16.3.113
  probe ICMP_Probe priority 20
ft track interface Track_Clients
  track-interface vlan 991
  peer track-interface vlan 991
  priority 20
ft track interface Track_Servers
  track-interface vlan 990
  peer track-interface vlan 990
  priority 20


ip route 0.0.0.0 0.0.0.0 172.16.1.121



switch/Admin#



The difference is that our url is https://www.my.test.com. So according to your solution the header value should be modified to "www.my.test.com"?


Thanks

Correct Answer

Yes you have to modify the header for the site you are using.


Also the ACE is terminating the HTTPS session between the client and ACE. When it sends traffic to the servers it will be HTTP and therefore the solution I gave you would be fine as the SSL Termination happens before the Layer 7 class-maps are checked and applied.


Something like....


match layer 4 class-map for HTTPS traffic and IP address

terminate SSL connection

go to policy-map

check layer 7 class-map statement for a first-match

loadbalance to serverfarm when match is found



I would also recommend using SSL-rewrite to handle any HTTP 30x codes that may be generated by the website. Just to be sure.


Dave.

tsakoulias Thu, 07/15/2010 - 02:51
User Badges:

Hi David,


I did the following :


class-map type http loadbalance match-all ClientA
  2 match http header Host header-value "my.domain.com"
  3 match http url /ClientA
class-map type http loadbalance match-all Main_Domain
  2 match http header Host header-value "my.domain.com"
class-map type http loadbalance match-all ClientB
  2 match http header Host header-value "my.domain.com"
  3 match http url /ClientB



policy-map type loadbalance first-match VIP_HTTP-l7slb
  class ClientA
    sticky-serverfarm Sticky_ClientA
  class ClientB
    sticky-serverfarm Sticky_ClientB
  class Main_Domain
    sticky-serverfarm Sticky_Main_Domain



When i test the above config, i don't get the desired functionallity. All the connections (to http://mydomain.com, http://mydomain.com/ClientA and http://mydomain.com/ClientB) are load balanced to serverfarm Sticky_Main_Domain. When i remove the Main_Domain class map all the connections are droped, which indicates that no connection requests are matched to class maps  ClientA and ClientB.


Any help would be appreciated


Thanks

tsakoulias Fri, 07/16/2010 - 00:20
User Badges:

I found the solution.


The final config should be like this one :


class-map type http loadbalance match-all ClientA
  2 match http header Host header-value "my.domain.com"
  3 match http url /ClientA/.*
class-map type http loadbalance match-all Main_Domain
  2 match http header Host header-value "my.domain.com"
class-map type http loadbalance match-all ClientB
  2 match http header Host header-value "my.domain.com"
  3 match http url /ClientB/.*



policy-map type loadbalance first-match VIP_HTTP-l7slb
  class ClientA
    sticky-serverfarm Sticky_ClientA
  class ClientB
    sticky-serverfarm Sticky_ClientB
  class Main_Domain
    sticky-serverfarm Sticky_Main_Domain


Watch the regular expressions in red !!!!!


Thank you all for your help.

Actions

This Discussion